Pastes

What are "pastes" and what do they have to do with data breaches?

Often when online services are compromised, the first signs of it appear on "paste"
sites like Pastebin. Attackers frequently publish either
samples or complete dumps of compromised data on these services. Monitoring and reporting on
the presence of email addresses on the likes of Pastebin can give impacted users a head start
on mitigating the potential fallout from a breach.

When you search for an email address on this site, both known data breaches and pastes are
searched simultaneously. After the results are returned, they both appear side by side with
an indication of where the address was found in a breach versus in a paste.

Identifying pastes and the role of Dump Monitor

Pastebin stores tens of millions of pastes and adds thousands more new ones every day. Rather
than attempt to analyse every paste in the system, Have I been pwned? monitors the appearance
of new pastes as announced by the Dump Monitor
Twitter accounts, in particular tweets that announce the presence of potential breaches
containing email addresses.

Paste formats

One of the attractions of paste services is that there are no constraints on the structure of
the content that can be published there. Consequently, pastes containing email addresses may
be very self-explanatory or appear completely obscure. However, there are some common
patterns which appear.

Database dumps: These will often take the form of scripts that can be run to
recreate the database structure. They typically contain comma-delimited fields representing
different columns in the database, often with passwords which may be secured with a
cryptographic hash. Example:

Email and password pairs: Compromised systems are often dumped into lists
of credentials consisting of username (often the email address) and password, occasionally
with other data accompanying it. Example:

Each of the above examples is representative of the sort of data structures often seen in
pastes. The appearance of the email address may be completely innocuous but it also often
indicates a serious breach. Only human review and assessment can determine if the paste
represents a risk that requires a response such as changing passwords.

The reliability of pastes

The presence of an email address on a paste site doesn't always mean it's been compromised in
a breach and the process that scans for addresses is entirely autonomous — there's no
human review. Do take a look at the paste and assess the impact for yourself if your address
appears there.

Paste duplication

Often a paste will appear on a service such as Pastebin multiple times. It may be identical
or contain slight variations but for all intents and purposes, it's the same content. This
may be because the same individual has published it multiple times or because a breach has
been socialised and then re-published by multiple people.

Have I been pwned? does not store the original paste, only meta data such as the title and
author if they exist. As such, there is no facility to identify duplicate pastes and instead
human discretion should be exercised if multiple pastes are found that appear to be the same.

Acceptable use, transient pastes and the role of Have I been pwned?

Services like Pastebin are pretty explicit about what is deemed to be "acceptable use"
of the service; no email lists, no login details, no password lists and no personal
information. Despite this, all these data classes frequently appear on Pastebin
many, many times per day. However they're often transient, appearing briefly before being
removed.

Have I been pwned? usually consumes the paste data within 40 seconds of it being published.
However, only meta data about the paste (title, author, date) and the email addresses
appearing in the paste are stored. No further data such as credentials or personal
information is stored. The entire premise of the service rests on the service being
searchable via email address so additional data (such as the original paste in its entirety)
is not required.

Notify me

Get notified when future pwnage occurs and your account is compromised.

Just to make sure you're not a robot, please solve this puzzle first:

You've just been sent a verification email, all you need to do now is confirm your
address by clicking on the link when it hits your mailbox and you'll be automatically
notified of future pwnage. In case it doesn't show up, check your junk mail and if
you still can't find it, you can always repeat this process.